MetricStream has published the results of its global IT Risk and Compliance Survey, in which enterprise security and risk professionals from around the world were surveyed about their top IT cyber risk strategies and concerns.
Key findings include:
IT risk programs have executive visibility; the majority are not driven by the CISO
The survey shows that 70 percent of respondents agree that their senior management and leadership help establish the strategic direction of their IT risk management program. However, only 29 percent of respondents say that their IT risk program rolls up to the Chief Information Security Officer (CISO).
Most IT risk programs have yet to reach optimal maturity
When asked about the maturity level of their IT risk programs, 69 percent of respondents stated that they are not quantitatively managing their IT risk program. Furthermore, 31 percent of respondents report having IT risk assessment reviews on a quarterly basis. Only 15 percent stated having monthly reviews.
The number one tool used for IT risk management – spreadsheets
When asked what tools are used for IT risk management, the number one response was spreadsheets. More than 45 percent of respondents reported using spreadsheets, even if they had an IT GRC solution in place. Moreover, 54 percent stated not using any IT GRC solution to manage IT risks.
Investment in security and compliance are top risk priorities for 2021
When asked about future plans, 38 percent of respondents stated that they are planning to increase their spend on IT risk management in 2021. Additionally, respondents ranked their top 2021 priorities to be: 1) investment in IT security solutions, 2) compliance with federal and government regulations, and 3) IT security data aggregation and reporting.